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Alternating-time temporal logic with strategy contexts (ATLjc) is a powerful formalism for expressing 
properties of multi-agent systems: it extends CTL with strategy quantifiers, offering a convenient way 
of expressing both collaboration and antagonism between several agents. Incomplete observation 
of the state space is a desirable feature in such a framework, but it quickly leads to undecidable 
verification problems. In this paper, we prove that uniform incomplete observation (where all players 
have the same observation) preserves decidability of the model checking problem, even for very 
expressive logics such as ATL^c- 

1 Introduction 

Model checking is a powerful technique for automatically checking properties of computerized sys¬ 
tems [Pnu77, CE82, QS82]. Model-checking algorithms classically take as input a model of the system 
under analysis (e.g. a finite-state automaton), and a formal property (expressed e.g. in some temporal 
logic, such as LTL or CTL) to he checked; they then automatically and exhaustively verify whether the set 
of behaviors of the model satisfies the property. 

During the last 15 years, model checking has been extended to handle complex systems, whose 
behaviors are the result of the interactions of several components. Games played on graphs are a 
convenient model for representing such interactions, and temporal logics have been hence proposed in 
order to express relevant properties in such a setting. One of the specification language to navigate in the 
execution trees of multi-agents systems is the temporal logic ATL [AHK02] (Alternating-Time Temporal 
Logic); it is an extension of the branching temporal logic CTL which allows to express properties such 
as the fact that a component can enforce a certain behavior independently of the actions performed by 
the other components. ATL has then be enriched in different ways to obtain more expressive logics for 
multi-agent systems. In particular, ATL^^ (ATL with strategy contexts) [BDLM09, LM15] and Strategy 
Logic [CHP07, MMVIO] are two powerful extensions with similar properties in terms of expressive 
power and algorithmic properties. It was furthermore proved that those two logics have decidable, but 
Tower-complete model-checking algorithms. 

In the approaches cited above, it is always assumed that all the players in the games have perfect 
observation of the state of the game, and that they also have perfect recall of the sequence of states that have 
been visited. In other words, they can choose an action to perform based on the entire sequence of states 
visited before. However, in many applications, components only have bounded memory, and most often 
they do not have the ability to fully observe all the other components of the system. While considering 
imperfect recall—the hypothesis that each player can only store into a finite memory the history of the seen 
states seen—can greatly simplify verification algorithms (since the number of strategies in the systems 
becomes finite), partial observation is known to make ATL model checking undecidable [AHK02, DJll]. 
Such results obviously carry over to more expressive logics like ATL^c- Decidability can be regained by 
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restricting to imperfect-recall strategies [Sch04], or by considering hierarchical information [BMV15] or 
special communication architectures in distributed synthesis [KVOl, Sch08]. 

In this paper, we consider a restricted case of partial observation, where all the players have the same 
information about tbe state space. We call sucb a case uniform partial observation. We prove that under 
this hypothesis, model checking concurrent game structure is decidable, even for the powerful logic ATL^c- 
In particular, it is decidable whether there exists a strategy, based only on a subset of atomic propositions 
(assuming that tbe precise states and tbe other propositions are not visible), to enforce a given property. 
Note also that tbe restriction to uniform observation is not significant when one looks for a strategy of a 
single agent a against all other players, since the semantics we use requires that the strategy be winning for 
any outcome (hence the exact observation of the opponent players is irrelevant). The decidability proof for 
model-checking under uniform partial observation is obtained by adapting a previous approach developed 
in [DLM12, LM15], which consists in transforming the model-checking problem for ATL*^ into a model¬ 
checking problem for QCTL, an extension of CTL with propositional quantification. A similar technique 
also allows us to prove that when restricting the strategy quantifiers fo range over memoryless sfrafegies, 
then the model-checking problem for ATL*^ with partial observation is again decidable. We finally prove 
fbaf safisfiabilify cbecking for ATL^c wifb partial observafion (i.e., deciding wbefber fbere exisfs a game 
sfrucfure wifh parfial observafion satisfying a given formula of ATL*^) is undecidable, even in fhe case of 
furn-based games (where safisfiabilify is decidable under full observafion [LM13]). 

2 Definitions 

2.1 Game structures with partial observation 

In fhis paper, we consider concurrenf games wifb partial observation. They correspond fo classical 
concurrenf game sfrucfures [AHK02] where, for each agenf, an equivalence relafion over fhe sfafes of fhe 
sfrucfure defines sefs of sfafes fhaf are observafionally equivalenf for fhis player. Observafion equivalence 
exfends fo sequences of sfafes in fhe obvious way. The sfrafegies of fhe agenfs fhen have fo be compatible 
wifh fheir observafion, in fhe sense fhaf affer fwo observafionally equivalenf plays, a sfrafegy has fo refurn 
the same action. In this preliminary section, we formalize this setting. 

All along this paper, we consider a set AP of atomic propositions. We recall that a Kripke structure 
over AP is a tuple {Q,R,i) where 2 is a countable set of states, RfQxQis tbe transition relation and 
i: 2^^ is a state-labeling function. 

Definition 1. A concurrent game structure with partial observation (CGSO) is a tuple ^ = (2,/?,^, Agt, 

Mov, Edge, (~a)a6Agt) where: {Q,R,i) is a finite-state Kripke structure; Agt = {ai,... ,ap} is a finite 
set of agents (or players); ^ = {mi,... ,m^} is a finite set of moves (or actions); Mov: Q x Agt^ 
2“^ \ {0} defines the set of available moves of each agent in each state; Edge: Q x Q is a 

transition table associating, with each state q and each set of moves of the agents, the resulting state q', 
with the requirement that {q,q') € R; finally, (~a)a6Agt assigns to each player an equivalence relation 
over Q. 

In the following, we assume w.I.o.g. (w.r.t existence of specific sfrafegies) fhaf Mov(^,fl:) = for 
every q £ Q and a £ Agt: all fhe actions are available fo all fhe players af any time. A move vector 
is a vector m G for such a vector and for an agenf a £ Agt, we denote by m[a] the move of 

agent a in m. A turn-based game structure with partial observation (TBGSO) is a CGSO for which 
there exists a mapping Own : Q — > Agt such that for any q £ Q and for any two move vectors m and m' 
if m[Own(^)] = m'[Own(^)], then Edge(^,m) = Edge(^,m'). 
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As we mentioned above, each relation with a £ Agt characterizes the observation of the agent a in 
the game structure: if q then agent a is not able to make a distinction between tbe states q and q'-, 
in such a case, we say that q and q' are a-equivalent. As an important special case, an observation relation 
(~a)aGAgt is Said to be uniform when = ~a/ for all a,a' G Agt. In that case we might substitute the set 
(~a)aGAgt by a unique equivalence relation 

A finite path in the CGSO is a hnite non-empty sequence of states p = qoqiqi ■ ■ - dk such that 
{qhqi+i) £ R for all / G {0,... — 1}. An infinite path (or run) is an infinite sequence of states such that 

each finite prefix is a finife path. We denote by Path (resp. InfPath) the set of finite (resp. infinite) paths. 
Let Ip I the length of the path p (with |p| = oo if p is infinite). For 0 < / < |p|, we write p(/) to represent 
the i + 1-th element of the path p. For a path p, we write first(p) for its hrst element p(0) and, when 
IpI < oo, we write last(p) for its last element p(|p|). For 0 < / < |p|, we denote by p<j the prehx of p 
until position i, i.e. the hnite path p(0)p(l).. .p(/). We extend the equivalence relation for a G Agt 
to paths as follows : two paths p and p' are n-equivalent (written p p') if, and only if, |p| = |p'| and 
p{i) r^a p'{i) for every 0 < / < |p|. 

Given a CGSO ^ and one of its states qo, we write for the execution tree of from qy. 

formally, is the pair (F, F) where T is the set of all hnite paths (called nodes in the context of trees) 

in with hrst state q^, and £ labels each node p with the labeling of last(p) in It will be convenient in 
tbe sequel to see execution trees as inhnite-state Kripke structures. To alleviate notations, we still write 
for the Kripke structure {T,R,£) where {T,£) is the tree dehned above, and R FT xT is the 
transition relation such that (p,pO G R whenever p is the prehx of p' of length |p'| — 1. 

A strategy for agent a G Agt is a function fa : Path —)■ it associates with any hnite path a move to 
be played by agent a after this path. A strategy /„ for agent a G Agt is said to be memoryless whenever 
for any two hnite paths p and p' such that p(|p| — 1) = p'(|p'| — 1), it holds fa{p) = fa{p')- Hence the 
decision of a memoryless strategy depends only on the current control state; for this reason, we may 
simply give such a strategy as a fonction fa'- Q ^ ■ A strategy f^ for a coalition of agents A C Agt 

is a set of strategy {fafa^A assigning a strategy fa to each agent a G A (note that a strategy for agent a 
is equivalent to a strategy for coalition {a}). Given a strategy /a = {fa}a€A for coalition A, we say that 
a path p respects /a from a hnite path n if, and only if, for all 0 < / < |7r|, we have p{i) = 7t{i) and 
for all |7r| < i < |p| — 1, we have that p{i -f 1) = Edge(p(/),m) where m is a move vector satisfying 
m(a) = fa{p<i) for all a£ A. Given a hnite path n, we denote by Out(7r,/A) the set of inhnite paths p' 
such that p respects the strategy /a from n. Given a strategy gA = {gajaeA for a coalition A and a strategy 
fs = {fb}bcB for a coalition B, we denote by gA o/b, the strategy {hdceAufi for coalition A UB such that 
he = gc for all c G A and he = fe for all c G B \ A. Finally given a /b = {fb}beB for a coalition B and a 
set of agents A C Agt, we denote by (/b)|a (resp. (/b)xa) the strategy {fb]b^Br\A (resp. {fb}b<^B\A) for 
coalition Bn A (resp. B \A). 

Partial observation comes into the play by restricting the space of allowed strategies: in our setting, 
we only consider strategies that are compatible with the observation in the game, which means that after 
any two a-equivalent hnite paths p and p', the strategies for agent a have to take the same decisions 
(i.e. fa(p) = fa{p'))- We could equivalently dehne a compatible strategy for a as a function from the 
quotient set Pathto .Jf, such that if [p] is the equivalence class of p with respect to ~a, then fa{[p]) 
gives the move to play for a from any history equivalent to p. A strategy fA = {fa]aeA for coalition A 
is compatible if fa is compatible for all a £ A. We write Strat(A) to denote the unrestricted strategies 
for coalition A, Strat'"(A) for the set of compatible strategies, and Strato (A) is the set of compatible 
memoryless strategies for A. 
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2.2 ATL with strategy contexts 

We will be interested in the logic ATL^cj which extends the alternating-time temporal logic of [AHK02] 
with strategy contexts. We assume a fixed set of atomic propositions AP and a fixed sef of agenfs Agt. 

Definition 2. The formulas o/ATL*^ are defined by the following grammar: 

ATL;^ 3 (Ps,¥s--=P\^(Ps\(Ps'^¥s\ {-A) % I (-A-) % I ^A[) % I ^A[) % 

%,¥p ■■=¥ I I %'^¥, I X(Pp I (PpUt/Tp 

where P ranges over AP and A ranges over 2^^^. 

We inferpret ATL*^ formulas over CGSOs, wifhin a context (i.e., a preselected strategy for a coalition): 
state formulas of the form in the grammar above are evaluated over states, while path formulas of the 
form (pp are evaluated along infinite paths. In order to have a uniform definition, we evaluate all formulas 
at a given position along a path. 

In ATL*^, contrary to the case of classical ATL [AHK02], when strategy quantihers assign new 
strategies to some players, the other players keep on playing their previously-assigned strategies. This is 
what “strategy contexts” refer to. Informally, formula (-A-) (Pp holds at position n along p under the 
context F if it is possible to extend F with a strategy for the coalition A such that the outcomes of the 
resulting strategy after p<„ all satisfy tpp. In Section 4, we also consider the strategy quantihers (•A•)o^ 
which quantihes only on memoryless strategies. Finally strategies can be dropped from the context using 
the operator (| - [). Notice that in this paper, all strategy quantihers are restricted to compatible strategies. 

We now dehne the semantics formally. Let be a CGSO with agent set Agt, p be an inhnite path 
of and n G IN. Let B C Agt be a coalition, and /g G Strat^(B). That a (state or path) formula tp holds 
at a position n along p in under strategy context /g, denoted ‘fi’,p,n |=yg (p, is dehned inductively as 
follows (omitting atomic propositions and Boolean operators): 


\=f, ^A\)¥ 

iff 


‘^,PF l=A <\A\)¥ 

iff 


'^,PF |=/s {■A-)¥ 

iff 

3gA G Strar(A). Vp' G Out(p<„,gA o/b). ^,p’,n \=g^ofy ¥ 

l=A 

iff 

i^,P,n Na (•Agt\A-)^p 

‘^,PF |=aX(Pp 

iff 

^,p,n+l ¥ 

'^,P,n |=A ¥'^¥p 

iff 

31 > 0. if,p,n +1 \= fg ¥p and \/0<m<l.if,p,n + m\=fg¥ 


Finally, we write io,qo |= ¥ when ^,p,0 ¥ (with empty context) for all path p such that 

p(0) = qo- Notice that this does not depend on the choice of p. The usual shorthands such as F and G are 
dehned as for CTL*. It will also be convenient to use the constructs [[-A-]] ¥ ^ shorthand for -■ (-A-) -■ ¥^ 

and (-A-) ¥ ^ shorthand for (-A-) _LU The CTL* universal path quantihers E and A can be expressed 

in ATL*^. For instance, A¥ is equivalent to (|0D (-O-) ¥■ Finally the fragment ATL^c of ATL*^ is dehned 
as usual, by restricting the set of path formulas to 


¥,¥p ■■=^¥ I X<Ps I ¥'^¥s- 

Remarks. The strategy quantifiers for complement coalitions (namely {-A) and (\A\)} are only useful 
in case the set Agt is not known in advance, as it is the case when dealing with satisfiability or with 
expressiveness questions. 
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Remark 4. As opposed to Strategy Logic [CHP07, MMVIO], the (existential) strategy quantifiers in 
ATL^c include an implicit (universal) quantification over the outcomes of the strategies of the unassigned 
players. This is indeed a quantification over all the outcomes, and not over the outcomes that would result 
only from compatible strategies. 

Example 5. Consider the CGSO 'rf in Figure 1. It is a turn-based CGS with two players (Player ai plays 
in circle node, and Player a 2 plays in box node). The set .M is {1,2,3}. The partial observation for 
Player a\ is then given by is =p (i.e. two states are equivalent if, and only if, the truth value of P 
is the same in both states). Now consider the formula tp = (-ai •) F /. To see that tp holds for true in qo 
with the standard semantics (where the strategy quantifiers are not restricted to compatible strategies), 
it is sufficient to consider the (memoryless) strategy for a\ consisting in choosing the move m\ from q 2 
and the move m 2 (or mi,) from q^. Note that this strategy is not compatible (after qoq 2 and qoq 3 , agent a\ 
should choose the same move), thus we need to consider another one to show that q) is satisfied with the 
partial-observation semantics; for example, the strategy consisting in choosing m[ after qoqi and qoq 3 , 
m 2 after qoqiq 3 and mi after qoq 3 q 2 - If furthermore we look for a memoryless compatible strategy for a\, 
we can use the strategy assigning the move mi to q 2 and q^, hence the formula {■ai-)oF f also holds true 
in qo. Therefore, formula (p holds true at qo. On the other hand, formula (ai)oN.'K'Kf does not hold 
true in qo, but formula (-ai^XXX/, where we drop the memory constraint, does hold true. 


^ 



91 93 95 


Fig. 1: The tum-based CGS 

In the sequel we will consider the model-checking problem of ATL}^ over CGSOs which takes as 
input a CGSO a control state qo and an ATL}^ formula tp and which answers yes if ^,^0 |= <P and no 
otherwise. We will also consider the satisfiability problem which given a formula of ATL}^ determines 
whether there exists a CGSO and a control state qo such that qo ^ tp. We recall that when considering 
concurrent game structures (with full observation), ATL}^ model-checking is decidable, but its satisfiability 
problem is undecidable (except when restricting to tum-based games) [LM15]. 

2.3 From concurrent games to turn-based games 

Following our definitions, tum-based game structures can be seen as special cases of concurrent game 
strcutres, where in each location only one player may have several non-equivalent moves. In this section, 
we prove that any partial-observation CGSO can be turned into an equivalent partial-observation TBGSO 
(where equivalent will be made precise later). While all players play at the same time in a CGSO, they 
play one after the other (in any predefined order) in the correspondig TBGSO, but the intermediary states 
are made undistinguishable to all players, so that no player can gain information from playing after another 
one. Figure 2 schematically represents this transformation in the case of two players. Obviously, since 
we add intermediary states, we also have to modify the ATL}^ formula to be checked, by making the 
intermediary states “invisible”; this is a classical construction in temporal logics. In the end, we prove the 
following result: 
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Fig. 2: Turning a CGSO into an equivalent TBGSO 

Theorem 6 . For any CGSO 'rf = Agt, Mov, Edge, (~a)aGAgt). we can compute a TBGSO FT = 

(e',/?',£',Agt,..#,Mov',Edge',(?aa)aGAgt) with Q C O', for which there is a logspace translation tp £ 
ATL*^ I— 7 - ^ G ATL*^ such that for any (p G ATL*^ and any state q of^^, it holds: 

'^,<?|=0(p 4^ =^,^1=0 

Furthermore, if^ is uniform, then so is ST. 

2.4 QCTL* in a nutshell 

As we explain in the sequel, under some restrictions (uniformity or restriction of the considered strategies), 
the model-checking problem of ATL*^ over CGSOs can be reduced to the model-checking problem of 
the temporal logic Quantified CTL* over Kripke Structures. QCTL* extends the classical branching time 
temporal logic CTL* with atomic propositions quantifiers 3P. tp^ (and its dual VP. tpfi, where P is an 
atomic proposition in AP: 


QCTL* 9 (p„ Ys ::=P \ ^ tPs \ (p,V Ys \'^9? \ 3P. Y, 

%, Vp-—Ys \^Yp\Yp'T¥p\'^Yp\Yp'^¥p 

where P ranges over AP. We briefly review QCTL* here, and refer to [LM14] for more details and 
examples. 

QCTL* formulas are then interpreted over a (classical) Kripke structure TP = {Q,R,£). Informally 
3P. Ys is used to specify the existence of a valuation for P over such that Ys is satisfied. We consider fwo 
differenf semanfics of 3P.<p: the structure semantics where one looks for a valuation of the structure 
and the tree semantics where one considers the valuation of its execution tree. 

For A C AP, two Kripke structures = {Q,R,i) and = {Q',R',i') are X-equivalent (denoted by 
=x y") whenever Q = Q',R = R', and i =x S (i.e., £{q)r\X = i'{q) n A for any q G Q). The structure 
semantics of QCTL* (whose satisfaction relation is denoted by |=st) is derived from the semantics of 
CTL* by adding the following rule: 

y,p,n |=st 3P. Ys iff ■ y' =aPx{p} and y’,p,n |=st Ys- 

In other terms, 3P. Ys means that it is possible to (re)label the Kripke structure with P in order to make Ys 
hold. As for CGSO, we write y,qQ ^st Ys whenever y',p,0 |=st Ys for all path p such that p(0) = qo- 
The tree semantics (whose satisfaction relation is denoted by |=tr) is dehned as: y ,qQ |=tr Ys if> and 
only if, STy[qo),qQ Ys (where STy>{qQ) is the execution tree of TF from < 70 , seen as an infinite-state 
Kripke structure). 
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Example 7. Consider formula EX(p AVP. ^EX ((p AP) AX (/’=^(p)^, which we write EX\(p in the 
sequel. This formula states the existence of a unique immediate successor satisfying (p. We will reuse it 
later in our construction. 

Theorem 8 ([LM14]). 1. For the structure semantics, the model-checking problem of QCTL* is 

PSPkC^-complete and the satisfiability problem is undecidable. 

2. For the tree semantics, the model-checking and satisfiability problems o/QCTL* are decidable, and 
Jower-complete. 


3 Model checking uniform CGSOs 

As we have already mentioned, it is well known that the model-checking of ATL over CGSO is undecid¬ 
able [AHK02, D'J'll]. Since ATL is a fragment of ATL*^, this undecidability result holds also for ATL*^. 
We prove in this section that decidability can be regained by restricting to uniform partial observation, 
i.e., by assuming that the observation is the same for all the agents. The idea consists in reducing the 
model-checking problem of ATL*^ over uniform CGSOs to the model-checking problem for QCTL* with 
tree semantics over a complete Kripke structure representing the possible observations. 

In the sequel, we consider a uniform CGSO ^ = {Q,R,£,Agt,.jf, Mov, Edge, (~a)a6Agt) with the 
finite set of states Q = {^O; ■ • • j the finite set of moves .jf = {mi,..., mr} and = ~ for all a G Agt. 
For each q £ Q,'we denote by [q] the equivalence class of q with respect to ~, i.e. [^] C 2^ is such that 
q' G [q] if, and only if, q ~ q'. We also consider an ATL*^ formula (ps whose (• - •) -depth (i.e. the maximal 
number of nested modalities (•-•)) is A (we assume here that modalities (•“•) and (|“[) have been previously 
removed from tp^, as the set of agents is known). The idea behind our proof is to consider a Kripke 
structure as a complete graph whose set of nodes is the set of equivalence classes [q]. We then use the 
power of QCTL* (with the tree semantics) to build paths and strategies in this Kripke Structure. The fact 
that, in the Kripke structure, the paths go through equivalent classes of states (and not through states), 
guarantees that the corresponding strategies are compatible with the partial observation. 

Before we build the Kripke Structure, we need to introduce some sets of fresh atomic propositions 
(not appearing in 'if or in tpfi which we will use to encode paths and strategies in the Kripke structure. Let 
APq = {qf I 1 < / < X andO < K< A}, AP‘j^ = {m^,..., m“} for every a G Agt, and AP,.^ = UaeAgt AP^ 
and APs = { S/ I 1 ^ ^ x) be those sets of fresh atomic propositions. We assume that AP q, AP ^ and 
APs are subsets of AP. Intuitively, propositions in APg will be used to fix a path of ^ at each level K of 
quantification (a path at level K being a sequence of states qf); propositions in AP(^ will be used to label 
the choices corresponding to a strategy of agent a. 

The Kripke structure associated with lo is then defined as where = {[^] I 9 £ Q}^ 

= Q‘tf X Q‘^ and i‘^{[q]) = {S( I qi G [^]}. Compatible strategies can then be encoded as functions 
labeling the execution trees of this Kripke structure (from the state where we evaluate the formula): 
a strategy fa for some agent a is represented as a function fa : —)• AP(^ that labels the execution 

trees of from the current state q with proposition in AP(^. However note that being a 

complete graph, paths in this structure might not correspond to paths in the associated CGSO we will 
use atomic propositions q, to identify concrete paths of 'fi'. 

Given a coalition B in Agt, an integer 0 < fc < A, and a subformula of tp^ at (• - •) -depth K, we define a 
QCTL* formula inducfively as follows: 

V qf 

{i\Pet{qi)} 
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—B.k txB.k 

1 (jO =—i(p 




- B,k _ T, „ 

X(P, =X(P,^’'^ 


For a formula of the shape^ {-a) tp^, the construction is as follows: 


b.k 


{■a) % = 3m^... m". [<I>strat({a}) A Vqf+^... 


•(‘J’path(^ + 1) A 


V (qf Aqf+^)A<I>out('s:+l,5U{a})) ^a(g \/ q* 


K+l . —BUlal.K+l 

—r Yp 


l<i<s 


l<i<s 


with 


‘I’strat(A) = /\ AG(^ y (m^A /\ 

aSA t<j<r j'^j 

<I>path('C+l) = EG( V (qr'As,-A/\-q,!f+>EXi( V qr')) 

i'=^i t<i<s 

c\f+^ Aia^ AEXq'j 


l<i<s 


<I>out('c+l,B) = EG( V V 


\<i<s 


|{m,?j) I “6^ ® A I 
I \ 9j=Edge(^i,m)J 


where m® is a shorthand for the formula A{(6,mt)|foeBAm[Z)]=mt} We point out the fact that <I>out(K'+ 1,5) 
is based on the transition table Edge of consequently, its size is in 0{\Q\^ ■ {i.e., in 0(\Q\ • 

|Edge|)). 

—- B,k 

The intuition behind formula {-a) (pp is as follows: the formula first “selects” a strategy for agent a 
under the form of a labeling of the execution tree of with mf; it then uses subformula <I>strat({<3}) to 
ensure that this labeling correctly encodes a strategy for a; finally, it checks that all the outcomes of the 
selected strategy satisfy tpp. The latter task is achieved by considering all the labelings of the structure 
with q'^^', and, for the labelings that correspond to one outcome of the selected strategy, by checking the 
formula (pp. Ensuring that a labeling corresponds to an outcome is done as follows: 

1. it corresponds to an infinite branch in the execution tree of ,5^, and each node labeled by qf^^ 
should correspond to a node [qi] (labeled by s,) in ,5^^ (both points are ensured by formula^ 
‘J’path(^+ 1)); 

2. at the present position, one of the propositions qf^^ has to match with one of the state qf of the 
previous level (this ensures that the path labeled by q’^+^ starts from the “current state” considered 
in the game); 

3. the branch obtained by this labeling effectively follows the choices dictated by the labels 
encoding the strategies for b G 5U {a}; this is checked by the formula <I>out('^ + 1,5U {a}). 

Finally, the formula checks that the corresponding path satisfies the formula 

The correctness of the reduction is stated in the following theorem: 

*For the sake of readability, we restrict to one-player coalitions here; the construction easily extends to the the general case 
with a coalition (including the empty coalition). 

^See Example 7 for the definition of EX j 
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Theorem 9. Let be an ATL*^ state-formula, if be a uniform CGSO, and qa be a state of^. Then: 

qa 1= % if and only if [qa] |=tr 3q° . A q° ) 

Proof First we point out the fact that none of the formula used in the reduction checks that the considered 
strategies are compatible, but in fact this is guaranteed because we evaluate the formula over the Kripke 
structure and two equivalent paths in with respect to ~ are necessarily matched to a unique path in 
the execution tree of 

We now prove that our reduction is correct. Let = {T^,R'c^,fcg) be the execution tree of the 

Kripke structure y<^ from the state [qa]- Note that nodes in =^^([^a]) are thus finite paths of the form 
[^ 0 ] [^ 1 ] • • • [dk] (with ^0 = da)- For a finite path ;r in such that 7r(0) = qa, we denote by [n] the path 
in such that \7t\ = |[;r]| and for all 0 < / < \n\, we have [7r](/) = [7r(/)]. We also denote by path(;r) 
the path in yy^{[qa]) such that |path( 7 r)| = \n\ and for all 0 < / < | 7 r|, path(;r)(/) = [n<i]. We now 
consider the tree fP' = where F extends the function Fy, with propositions of type m^ and qf. 

This extension is used to encode a strategy context and to describe a path of Given a compatible 
strategy fs = {fb}b£B for the coalition B = {b \,..., bh], an infinite path p in such p (0) = qa and a 
position n>0,'fjc say that F is: 

• an / 5 -labeling whenever, for every node re TV with 7 = [tt] for some finite path n in if, for any 
b for any 1 < 7 < r, we have m y G F{'y) if, and only if, /^(Tr) = my, 

• a (fc,p)-labeling if the following two conditions are verified: 

1 . for all j > 0 , it holds qf G ii'{[p<j]) if, and only if, p(j) = qi 

2. if qi G F{'k) for a node n G then there exists j > 0 such that n = [p<j]- 

In other words, the propositions qf,..., qf label a unique branch in the tree, that can be matched 
with the path p. 

We say that for 0 < fc < A, a subformula tp of % occurs at (• - •) -depth fc, if the number of (•-•)- 
quantifier above (p in tree representing formula % is K. 

Proposition 10. Let tp be some subformula of tp^ which occurs at {- - -) -depth K with Q < K < X, p be a 
run o/V’ such that p(0) = qa, n be a natural number, fs be a compatible strategy for coalition B. Let 
y = {T<^,R'cg,F) be the tree defined as above. If F is an fs-labeling and a {K,p)-labeling, then we have: 

'f‘,p,n \=fg (p if, and only if, 5^', path(p),n |=st cp^ ’^. 

Proof The proof is done by structural induction over (p. In the following, we let qa' = p{n). 

• case (p = P: we have p{n) \=f^ P if, and only if, P G I{qa')- As F is a (fc,p)-labeling, we know 
that y,pat\\{p),n |= qf. By definition of P^ '^, the implication follows. Conversely assume 
y, path(p),n 1= P^ '^, we know that p{n) has to be labeled by P, because F is a (fC,B)-labeling. 

• case (p = (PpUYp- if if,p,n \=fg cppU^?’ there exists i > n s.t. if,p,i Yp for any n < 
j < i, we have "^jP, 7 |=/g %. By i.h., we get y, path(p),/ 1 = and, for any 7, y, path(p),7 |= 
q)p from this we obtains y, path(p),n |= The converse is similar. 

• case (p = {-a-) (pp'. Assume if,p,n \=f^ {-a-) (Pp. Then there exists a ~-compatible strategy /„ s.t. for 

any p' G 0ut(p<„,/aO/c), we have p' |= 7 ,o/g (pp- From this strategy fa, we deduce a valuation 
for propositions extending F over T (because fa is ~-compatible), and satisfying 

‘J*strat({fl^})- Now extend F with a valuation for qf+^,..., qf+^ following the run p' (i.e. for every 
state p'{i) = qp, the corresponding node [pT(/) is labeled by q^^\ and only [p']-nodes are labeled 
by these propositions). Let F' be this new valuation for y .Then clearly we have: 
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- , path(p),n 1= <I>path('^+ l)^ since q propositions label a path; 

- path(p),n 1= q^, because the current position belongs to the runs p and p', and 

the new run p' is issued from the current position; 

- ,9'', path(p),n |= <I>out(K'+ IjCUla}), meaning that the labeling of q"^^^ propositions follows 
the "correct" path p' from 0 ut(p<„,/ao/ 5 ); 

- finally, path(p'),?i |= 

Therefore we have: .1^’, path(p),?i |= 

We now prove the converse implication. Assume path(p),n \= From the existence 
of a labeling for m",..., m“ satisfying <I>strat({^j})> we deduce a ~-compatible strategy fa in 
for every hnite runs issued from p(< n) Now consider a valuation for Either it 

makes the left-hand side subformula of the implication to be false, and there is no consequence, 
or this subformula is true and in this case, the valuation describes a run p' in ^ issued from p {n) 
and belonging in 0 ut(p<„,/aO/ 5 ); this run has to satisfy and by i.h. we get that 

Corollary 11. The model-checking problem o/ATL*^ over uniform CGSOs is decidable (and Tower- 
complete). 

Remark 12. Our algorithm can be used to decide whether one player (with partial observation of the 
system) has a compatible strategy to win against all the other players, whatever is the observation of 
the other players (since the implicit quantification in strategy quantifiers ranges over all the outcomes). 
As a consequence, when considering the fragment o/ATL in which strategy quantifiers always involve at 
most one-player coalitions, the model-checking problem is decidable for possibly non-uniform partial 
observation. It can be checked that indeed the undecidability proof of [Df 11] involves a strategy 
quantification over a coalition of two players with different observation. 

4 Restriction to memoryless strategies 

In this section, we show that another way to obtain decidability for the model-checking problem of ATL*^ 
over game structure with (possibly non-uniform) partial observation is by restricting the set of considered 
strategies to memoryless strategies. We denote by ATL*^ o^ the temporal logic obtained from ATL*^ by 
replacing respectively the quantifiers over strategies (A) by (;A)q and (-A-) by (•A-)o. GivenaCGSO'^ 
a path p of and n G IN such that n < |p| and fs G Stratg (B), the semantics of these two operators is 
given by: 

(•^•)o<Pp iff e Strato (A). Vp' G Out(p<„,gAo/B)-'^,p',« |=g^o/B 

'^>P>«I=A Wof’p iff 3g;4GStrato(Agt\A).Vp'GOut(p<„,gjo/B).‘^,p',n^g_o/^(Pp 

In [LM15], a reduction from model-checking ATL^cO and ATL*^ q io QCTL* model-checking problem 
over concurrent game structure with perfect observation is given, the main idea is to use the structure 
semantics instead of the tree semantics. In this framework the complexity is simpler, since both problems 
are PS PACE-complete: the number of memoryless strategies for one player being bounded (by \.M\ IPI), 
we can easily enumerate all of them, and store each strategy within polynomial space. When considering 
partial observation, we can use the same approach, we need to also ensure that the chosen strategies are 
compatible, but this can easily be achieved when considering memoryless strategies, since one only needs 
to check that a strategy fa proposes for two equivalent states (w.r.t. ~a) the same move. 
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Let if = Mov, Edge, (~a)a6Agt) be aCGSO with finite set of states Q = {< 70 , • • • ,qs}, 

finite set of moves ^ = {m\rrir} and the finite set of agents Agt = {a\,...,ap}. For each a G Agt, we 
suppose that the number of equivalence classes for is and we use the notation Ef with 1 < / < Uq to 
represent the f-th equivalence class of ~a. We denote by the Kripke structure underlying if 

based on the same states and the same transitions, and where the labeling function extends i by adding 
labels from the sets {P^ | ^ G 2} U {Pp | a G Agt A 1 < / < no} in such a way that the following two 
conditions hold: 

• Pg G if, and only if, q' = q, 

• for all a G Agt, Pp g ijeiq) if, and only if, q G Ef. 

Below we show how to translate a formula % of ATLJ^^ q into a formula of of QCTL* such that 
we will have if,qo |= % for a state qo of iff |=st Note that at the opposite of the previous 

section, we consider here the structure semantics [LM14] when performing the model-checking of 
this means that instead of ranging over labelings of the execution tree, propositional quantification ranges 
over labelings of the Kripke structure. This is due to the fact that the compatible memoryless strategies we 
take here into account are functions mapping equivalent states (and not anymore path of equivalent states) 
to the same move. Given a coalition B in Agt and tp a subformula of <Ps, we define a QCTL* formula 
inductively as follows: 

=P 

—- ~~B ^jj 

(jOAt/r = (p At// 

— —B _ n _n 

=% UvAp 

For a formula of the shape (•a-)o %, we let^ 


(KDf’s 

= <Ps 

—B 

^B 

^(p 

= -<P 

-^~~~B 

X<Pp 



{■a-)oq>P =3m^...m".(<I>strato({a})AA (<I>;^t({a}UB)) 




BU{a} 


where 
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1 <;■<'• 


m 


“A A- 

j'fj 


I m : 


A /\ /\ EF(P~“Am")^AG(P;r''^m^) 
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96 Q 


A 


[(P,Am®)^XP,,]). 


{(m.9') 


l 5 '=Edge(g,m) 


} 


where is a shorthand for the formula "fbe last Formula characterizes 

the outcomes of the strategies in use for some coalition B. We point out that the QCTL* formula has 
size 0 (|<I>| • | 2 | • (|Agt| • \Jf'^ -L |2| • |Edge|)). 

A memoryless and compatible strategy fg can easily be encoded by labeling states of with 
the moves of the coalition B thanks to the propositions m^ • • ■, for a £ B. The <I’strato(®) N here to 
ensure both that the labels m'' correspond to a strategy for coalition B and to check that such a strategy is 
memoryless and compatible: for all reachable states labeled with some move, the formula verifies thaf all 

^As in the previous case, the extension to (-A^q is straightforward. 
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the equivalent states are labeled by the same move. Note that this property ranges over reachable states: 
we could have unreachable states that are labeled in an improper way but this is not a problem as such 
state will never be reached from the current position (and consequently they cannot impact on the truth 
value of the formula). 

We will now consider the Kripke structure = {Q,R,i') where i' extends the function with 
propositions of type m". Given a compatible memoryless strategy /g = {fb}beB for the coalition B, we say 
that £' is an /g-labeling if for every node q ^ Q, for any b £ B and for any 1 < y < r, we have m ‘tGnq) 
iff fb{q) = nij (we recall that a memoryless strategy fb can be seen as a function from Q to ^). 

Proposition 13. Let p be a run of^, nbe a natural number, /g be a compatible strategy in Strato {B) 
for coalition B. If £' is an fB-labeiing, then we have: 

(Ps iff =^,P,«|=9s 

Proof The proof is done by structural induction over <I>. 

• <I) = (ppUt/Tp: Assume ^,p,n \=f^ tppUYp- Therefore there exists i > n s.t. ^,p,i\=fg Y? ^^d for 
any n < j < i, we have ^,p,j\=fg(Pp. For every position between n and i, the induction hypothesis 
can be applied and we deduce JLf,p ,n\= tp^ U t//p . The converse is done similarly. 

• <I> = {-a-) (pp. (1) =^(2). Assume ^,p,n\=fg {-a-) tpp. There exists a memoryless compatible strategy 

fa s.t. for any p' G Out(p<„,/ao/g), we have ‘^,p',n |=/„o/g %■ Thus we can find a labeling of 
propositions mj,...,m“ for to represent fa- This labeling completes the existing one for 
strategy context Fg and the formula <I>strato({‘^} UF) is then satisfied on J(f^,p,n. And any =j^-run 
satisfying <I>Q^^({a} Ufi) belongs to the set of outcomes generated by the strategy context fa°fB, 
and then satisfies by induction hypothesis. 

(2) =^(1). Now assume .Jff^,p,n |= (p^. Therefore there exists a labeling for m",..., m“ such that 
<I>strato({^}) holds true. Such a labeling defines a memoryless and compatible strategy for the 
reachable states (from p,n). And finally every run satisfying <I>o^^({a} Ufi) has to satisfy 
By induction hypothesis we get the stated result. □ 

Thus we have: 

Theorem 14. The model-checking problem o/ATL*^ q i^ PSPACE-complete. 

Proof QCTL* model checking can be solved in polynomial space for the structure semantics. This 
immediately gives a PS PACE algorithm for our problem. Conversely, ATL^cO model checking (with 
perfect observation) is PSPACE-hard [BDLM09]. This extends immediately to the partial-observation 
setting. □ 

Remark 15. Quantification over memoryless strategies could also be achieved using the tree semantics, 
following the presentation of Section 3. To do so, it suffices to label each state with its name (hence adding 
a few extra atomic propositions) and to require that the labeling of the execution tree with strategies 
satisfies that whenever some state s is labeled with some move mu then all the occurrences of s must be 
labeled with the same mode niu 

While this has little interest for model checking ATL*^ g fo terms of complexity, it shows that model 
checking remains decidable for the logic involving quantification over both memoryful, bounded-memory 
and memoryless strategies. 
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5 Satisfiability and partial observation 

In this section, we consider satisfiability checking: given a formula <I>, we look for a game structure ‘if, an 
equivalence ~ over states, and a control state qo, such that ‘if,qo ^ ‘I’- This problem is undecidable for 
ATL^c (and ATL*^) in the classical setting of perfect-observation games. 

First note that considering partial observation makes the problem different: there exists formulas that 
are satisfiable under partial observation, and not satisfiable for full observation. Consider formula <I> = 
AX ((-ai •) X/) A -■ (•«! •) XX/. Clearly <I> is satisfiable when considering games with partial observation: 
for example, one can consider the turn-based structure in Figure 3, where ai plays in circle nodes and a 2 
plays in box nodes, and where ~ is =p: from qo, there is no ~-strategy for ai ensuring the property XX/ 
(because from the strategy should play the same move after ^ 70^1 and qoqi), but the subformula (•ai-)X/ 
holds for true in q\ and in q 2 . 


91 



Fig. 3: The turn-based CCS ‘if s.t. qo |= <I> 

But formula <I> is not satisfiable in the classical case: assume that AX ( {-ai •) X/) is satisfied in some 
stafe q, then from every ^-successor q\ there is a strategy fqt for a\ to ensure X/. Therefore the strategy 
for a\ consisting, from q, to choose an arbitrary move, and then to choose the strategy fqt for every 
possible successor q' ensures the property XX/. 

From a decidability point of view, considering partial observation does not make satisfiability problems 
to be simpler: in fact this problem remains undecidable for ATL^c. Furthermore, it is even worse than in 
the classical setting: while the turn-based satisfiability is decidable when perfect information is assumed, 
it is undecidable when one considers the partial observation case. 

Theorem 16. Satisfiability problems for ATL*^. ATL^c> ATL*^q and ATLic,o (with partial observation) 
are undecidable even restricted to turn-based structures. 

Proof. We can mostly reuse the proof of Troquard and Walther [TW12] (we have slighty modified in 
[LM15]). The key idea of their proof is to reduce S5” satisfiability to ATL^c satisfiability. Given an 
S5" formula <I>, one can build an ATL^c formula (-Q-) <I> such that <I> is satisfiable iff (-O-) <I> is satisfiable. 
Wifhouf considering fhe defails of fhe proof, one can jusl note fhaf <I> uses Boolean operators and sfrafegies 
quantifiers (-a, -) (for 1 < / < n) and formulas of the form XP: there is no U modality and there is no 
nesting of X. Therefore with such a formula, every strategies quantifier is interpreted in a unique state w 
and we only consider the moves done in this state w: adding an equivalence ~ over states or considering 
memoryless strategies do not change the semantics of <I>. 

Assume that <I> is satisfiable. From the proof of [TW12], one can build a game structure ‘if satisfying 
(•0-) <I>. Moreover one can use the reduction of Theorem 6 to get a tun-based games with partial information. 

Now assume that (-O-) <I> is satisfiable. Therefore fhere exisfs a game sfrucfure ‘f wifh an equivalence ~ 
such that ‘if ,q\= (-O-) <I>. This structure is based on a set of agents {1,... ,k} with k <n. And there is a 
strategy F for Agt such that ‘if,q\=f^ and <I> may only modify the choices for players ai,..., If k > n. 
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we can replace the players n + \,..., khy their first move selected by F from q. Its gives a game structure 
based on Agt = {ui,...,««}. And we can use the same construction of a corresponding 55" model for 
<I> as it is done in [LM15], and as explained before, considering partial information does not change the 
construction since every strategy is applied from the same unique initial state of the game. □ 


6 Conclusion 

In this paper, we have proved that the model-checking of ATL^c over games with uniform partial observa¬ 
tion is decidable. It would be interesting to study whether our uniformity requirement on the observation 
of each player in the game could be relaxed in order to be able to analyze richer models. One possible 
direction is to look at games with hierarchical information [BMV15], but we currently could not find a 
way of extending our algorithm to non-uniform observation. 
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